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Abstract — We investigate the simulation problem in of dense- 
time system. A specification simulates a model if the specification 
can match every transition that the model can make at a time 
point. We also adapt the approach of Emerson and Lei and 
allow for multiple strong and weak fairness assumptions in 
checking the simulation relation. Furthermore, we allow for 
fairness assumptions specified as either state-predicates or event- 
predicates. We focus on a subclass of the problem with at 
most one fairness assumption for the specification. We then 
present a simulation-checking algorithm for this subclass. We 
propose simulation of a model by a specification against a 
common environment. We present efficient techniques for such 
simulations to take the common environment into consideration. 
Our experiment shows that such a consideration can dramatically 
improve the efficiency of checking simulation. We also report the 
performance of our algorithm in checking the liveness properties 
with fairness assumptions. 

Keywords: branching simulation, fairness, verification, Buchi 
automatas, concurrent computing, timed automata, algorithms, 
experiment 

I, Introduction 

Modern real-time systems have incurred tremendous chal- 
lenges to verification engineers. The reason is that a model 
process running in a modern real-time system can be built 
with support from many server processes in the environment. 
Moreover, the model may also have to respond to requests 
from several user processes. The fulfillment of a computation 
relies not only on the functional correctness of the model, but 
also on the reactions from the servers and the clients. For 
example, a company may submit a task of DNA sequencing 
to a server. The server then develops a computing budget and 
decomposes the task into several subtasks (e.g., SNP finding, 
alignments). Then the server may relegate the subtasks to 
several other servers. The decompositions of subtasks may 
then go on and on. If the task is to be completed, not only the 
server for the root task needs to function correctly, but also all 
the servers for the subtasks have to fulfill their assignments. 
Thus, to verify the function of the root server, it is only 
reasonable and practical to assume that all the other supporting 
servers work correctly. 

In many industrial projects, the specification can be given 
in the concept of state-transition diagrams (or tables). In such 
a context, simulation-checking is an appropriate framework 
for verifying that a model conforms to the behavior of a 



specification 0, 1231 . Intuitively, the specification simulates 
the model if every timed step of the model can be matched 
by the specification at the same time. 

Example 1: In figure [T] we have the state-transition dia- 
grams of two timed automatas (TA) J3). The one in figure [TJa) 
is for a model M. while the one in figure |TJb) is for a 
specification S. We use ovals for the control locations of 
the TAs while arcs for the transition rules. In each oval, 
we label the invariance condition that must be satisfied in 
the location. For example, in location waiti, Ai can stay 
for at most 20 time units. By each transition rule, we stack 
its synchronization event, triggering condition (guard), and 
actions. For convenience, tautology triggering conditions and 
nil actions are omitted. An event starting with a '?' represents 
a receiving event while one with a '!' represents a sending 
event. For example, for the transition from location idlei 
to waiti, M. must send out an event request, be in a state 
satisfying x\ > 5, and reset clock x\ to zero. The specification 
in figure [Tib) does not simulate the model in figure [TJa) since 
event ! end of M. cannot be matched by any event of S. 
Moreover S can neither receive a ? serve event 15 time units 
after issuing a ! request event while Ai can. ■ 

However, the concept of simulation described in the last 
paragraph can be too restrictive in practice. Developers of 
a project usually cannot make too much assumption on the 
environment. The deadline constraints x\ < 20 and X2 < 15 
can be too restrictive and hurt the extensibility of the model 
in the future. Another approach in this regard is using fairness 
assumptions ifTOl . 11221 . For example, for the model and 
specification processes in figure [TJ we may want to check 
whether S simulates M. under the fairness assumption that the 
environment functions reasonably. Such an assumption can be 
captured with the fairness assumption that there will always 
be infinitely many occurrences of event serve. Under this 
assumption, the S in figure [TJb) actually simulates the hA in 
figure 02 a )- 

In this work, we propose the simulation with fairness 
assumptions for the processes in a dense-time setting. In such 
a setting, the model and the specification are both general- 
ized Biich timed automatas (GBTA) (3) with communication 
channels and dense-time behaviors. We want to check whether 
the specification GBTA can simulate the model GBTA with 
multiple fairness assumptions. Following the approach of |9), 



Irequest 
X\ > 5 
x x :=0 



lend 
xi > 10 
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x\ := 0; 



(a) a model process Ai 



Irequest 
x 2 > 5 




serve 



x 2 := 0; 
(b) a specification process S 



Fig. 1. A model process and a specification process 



I, we allow for the requirement and analysis of both strong 
and weak fairness assumptions. A strong fairness assumption 
intuitively means something will happen infinite many times. 
A weak fairness assumption means something will hold true 
eventually forever. For convenience, we use two consecutive 
sets of formulas for fairness assumptions, the former for the 
strong fairness assumptions while the latter for the weak 
fairness assumptions. 

Example 2: For the system in figure Q] we may have the 
following fairness assumptions. 

{waiti}{idlei Vwaiti} 

The fairness assumptions in the above say that a valid compu- 
tation of the system must satisfy the following two conditions. 
• For the strong fairness assumption of {waiti}: For 



every t G 



there exists a t' G K-° with t' > t such 



that in the computation at time t', the model process is 

in location waiti. This in fact says that the model must 

enter location waiti infinitely many times along any 

valid computation. 

• For the weak fairness assumption o/{idlei Vwaiti}: 

There exists a t G R-° such that for every t' G R-° with 

t' > t, the model process is in either locations idlei or 

waiti. This in fact says that the model will stabilize in 

locations idlei and waiti. 

The two types of fairness assumption complement with each 

other and could be handy in making reasonable assumptions. 

■ 
Furthermore, we also allow for both state formulas and event 
formulas |f25) in the description of fairness assumptions. State 
formulas are Boolean combinations of atomic statements of 
location names and state variables. For convenience, we use 
index 1 for the model and index 2 for the specification. Event 
formulas are then constructed with a precondition, a event 



name with a process index, and a post-condition in sequence. 
Example 3: For the system in figure [T] we may write the 
following strong event fairness assumption. 

{(waiti)?serve@(l)(frae)}{} 

The event specification of ?serve@(l) means there is an 
event serve received by process 1. The precondition for the 
event is waiti while the post-condition is true. The strong 
fairness assumption says that there should be infinite many 
events serve received by process 1 in location waiti. ■ 

In general, an event specification can be either a receiving 
or a sending event. Such event formulas can be useful in 
making succinct specifications. Without such event formulas, 
we may have to use auxiliary state variables to distinguish 
those states immediately before (or after) an event from others. 
Such auxiliary variables usually unnecessarily exacerbate the 
state space explosion problem. 

One goal of our work is to develop a simulation-checking 
algorithm based on symbolic model-checking technology for 
dense-time systems ifTBl . 11241 . To achieve this, we focus on 
a special class of simulations with the restriction of at most 
one fairness assumption for the specification. For convenience, 
we call this class the USF (unit-specification-fairness) sim- 
ulations. Then we propose a symbolic algorithm for this 
special class of simulations. To our knowledge, this is the first 
such algorithm for GBTAs. Also unlike the fair simulation 
lfT4ll checking algorithm based on ranking function in the 
literature, our algorithm is based on symbolic logic formulas 
manipulation, which has been proven useful in symbolic model 
checking (6j, Thus, our algorithm style can be interesting in 
itself. 

We also present a technique for the efficient simulation 
checking of concurrent systems by taking advantage of the 
common environment of a model and a specification. To 



apply the simulation checking algorithms mentioned in the 
above and in the literature |8), l23l . we need first construct a 
product automata of the environment £ and the model A4, in 
symbols £ x M. Then we construct a product of £ and the 
specification S, in symbols £ x S. Then we check if £ x S 
simulates £ x J\A. As a result, such algorithms incur duplicate 
recording of the state information of £ while manipulating 
representations for the simulation of £ x Ai by £ x S. 
Moreover, different transitions in £ with the same observable 
events can also be matched in the simulation-checking. Such 
matching is not only counter-intuitive in simulation against the 
same environment, but also incur explosion in the enumeration 
of matched transitions between £ x M and £ x S. Our 
technique is embodied with the definition of a new simulation 
relation against a common environment. We have implemented 
this technique and experimented with benchmarks with and 
without fairness assumptions. 

We have the following presentation plan. Section HI] is for 
related work. Section Hill reviews our system models (3), l20l . 
Sections [IV] presents our simulation for dense-time systems 
with fairness assumptions. Section [V] presents a characteri- 
zation of the simulation when the specification is a Biichi 
TA. Section [Vl] presents our simulation checking algorithm 
based on the characterization derived in section[V] Section [vTil 
presents the simulation against a common environment and 
techniques for performance verification in this context. Sec- 
tions IVIIII and [IX] respectively report our implementation and 
experiment. Section |X] is the conclusion. 

II. Related work 

Cerans showed that the bisimulation-checking problem of 
timed processes is decidable (8). Ta§iran et al showed that the 
simulation-checking problem of dense-time automatas (TAs) 
(3) is in EXPTIME l23l . Weise and Lenzkes reported an 
algorithm based on zones for timed bisimulation checking 
l32l . Cassez et al presented an algorithm for the reachability 
games of TAs with controllable and uncontrollable actions Q. 

Henzinger et al presented an algorithm that computes the 
time-abstract simulation that does not preserve timed proper- 
ties [13]. Nakata also discussed how to do symbolic bisim- 
ulation checking with integer-time labeled transition systems 
|fl9l . Beyer has implemented a refinement-checking algorithm 
for TAs with integer-time semantics 0. 

Lin and Wang presented a sound proof system for the 
bisimulation equivalence of TAs with dense-time semantics 
ifTTl . Aceto et al discussed how to construct such a modal 
logic formula that completely characterizes a TA HI. 

Larsen presented a similar theoretical framework for bisim- 
ulation in an environment for untimed systems (16| . However 
no implementation that takes advantage of the common en- 
vironment information for verification performance has been 
reported. 

Proposals for extending simulation with fair states have been 
discussed in Q3, OH, EH- Our simulation game of GBTAs 
stems from Henzinger et al's framework of fair simulation 
fl4l . Techniques for simulation checking of GBAs were also 
discussed in iflOl, l22l. 



III. Preliminary 

We have the following notations. R is the set of real 
numbers. R-° is the set of non-negative reals. N is the set 
of nonnegative integers. Also 'iff is "if and only if." Given 
a set P of atomic propositions and a set X of clocks, we 
use B(P, X) as the set of all Boolean combinations of logic 
atoms of the forms q and x ~ c, where q G P, x G X, 
'~'e {<, <,=, >, >}, and c G N. An element in M(P,X) is 
called a state-predicate. 

A. Timed automata 

A TA J3l. Il20l. OTl is structured as a directed graph 
whose nodes are modes (control locations) and whose arcs 
are transitions. Please see figure Q] for examples. A TA must 
always satisfy its invariance condition. Each transition is 
labeled with events, a triggering condition, and a set of clocks 
to be reset during the transitions. At any moment, a TA can 
stay in only one mode. If a TA executes a transition, then the 
triggering condition must be satisfied. In between transitions, 
all clocks in a TA increase their readings at a uniform rate. 

Definition 1: Timed automata (TA) A TA A is a tuple 
(Q,P, X, I, A, E, S, e, r, it). Q is a finite set of modes (lo- 
cations). P is a finite set of propositions. X is a finite set of 
clocks. / G B(P, X) is the initial condition. X : Q ^ B(P, X) 
is the invariance condition for each mode. E C Q x Q is 
the set of process transitions. E is a finite set of events, 
e : E h^ 2 s is a mapping that defines the events at each 
transition, r : E i-» B(P, X) and 7r : E H> 2 X respectively 
define the triggering condition and the clock set to reset of 
each transition. 

Without loss of generality, we assume that for all q,q' / Q 
with q ^ q', X(q) A X(q') is a contradiction. We also assume 
that there is a null transition _L that does nothing at any 
location. That is, the null transition transits from a location 
to the location itself. Moreover, r(±) = true, 7r(_L) = 0, and 
e(-L) - 0. ■ 

Given a TA A = (Q,P,X,I,X,E,Y,,e,T,ir), for conve- 
nience, we let Qa = Q, Pa = P, Xa = X, Ia = E Xa = X, 
Ej\ = E, Y^a = S, Ej\ = e, T4 = t, and ir^ = it. Also, for 
convenience, we let Va = Vogo (^a(q)) be the invariance 
predicate of A. 

Example 4: We have already seen examples of TAs in 
figure Q] For the TA in figure Q2a), the attributes are listed in 
table H ■ 

A valuation of a set is a mapping from the set to another 
set. Given an r) G M(P,X) and a valuation v of X U P, we 
say v satisfies r\, in symbols v |= r\, iff r) is evaluated true 
when the variables in 7/ are interpreted according to v. 

Definition 2: States of a TA Suppose we are given a TA 
A. A state v of A is a valuation of XaUPa with the following 
constraints. 

• For each p G Pa, v{p) G {false, true}. There exists a 
q G Qa such that v \= X(q) and for all q' ^ q,v ^ X(q'). 
Given age Qa, if v |= X(q), we denote q as mode y i(^). 

• For each x G X A , v{x) G R-°. 

In addition, we require that v \= Va- We let S(S) denote the 
set of states of A. ■ 
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{idlei,waiti, stopi} 

{*i} 

idlei A x\ = 

[idlei 1— > true, waiti >— > 



xi < 20, stopx 



{(idlei, waiti), (waiti, idlei), (waiti, stopi)} 

{request, serve, end} 

[(idlei, waiti) i-> {!request}, (waiti, idlei) i-¥ {?serve}, (waiti, stopi) 1 

[(idlei, waiti) >-> x\ > 5, (waiti, idlei) h-> frae, (waiti, stopi) i-¥ :ri > 10] 

[(idlei, waiti) i-> {xi}, (waiti, idlei) i-J- {^l}, (waiti, stop!) i-J- 0] 



{lend}] 



, a k i-> b fe , . . .] denotes a (partial or total) function / with /(arj) = feoi 



,/K) 



TABLE I 
Attributes of the TAs in figureQJa) 



Note that we define a state as a mapping instead of as a 
pair of control locations and a real mapping as in J2). This 
is for the convenience of presentation when latter we want to 
discuss the state-pairs in simulation relations. 

For any state v and real number t G R-°, v + t is a state 
identical to v except that for every clock x G Xa, (v+t)(x) = 
v{x) + t. Also given a process transition e = (q, q') G Ea, 
we use ve to denote the destination state from v through the 
execution of e. Formally, if v |= ta{z), then ve is a new state 
that is identical to v except that the following constraints are 
true. 

• q = mode^t^) and q' = mode^^e). 

0. 

v(x). 

Given a t G K-° and a transition e, we write v — '—t v' iff 
v + t h TA(e), (i/+t)e = v', v 1 |= Va, and for each t' G [0, t], 
v + t' \= Va- For convenience, we use [v - L ^r\ to denote such 
a j/ with v — > v . 

A run of a TA A is an 
of state-transition-time triples 
(Vfc, ek,tk) with the following 



• For every clock x G 7ivi(e), ve{x) 

• For every clock x g" ^^(e), ^e(a;) 



Definition 3: Runs 
infinite sequence 
(fo,e ,t )(^i,ei,ii). 
restrictions. 

• Non-Zeno requirement: t ti . . . t k is a non- 
decreasing and divergent real-number sequence. That is, 
Vfc G N, t k < ife+i and Vc G N, 3fc > 1, t k > c. 

• For all k G N, either z/fc + i/j+i — tk = ^fc+i or 



^/,- 



ffc+i- 



A ran prefix is a finite prefix of a run. A run prefix or a run 

(vq, eo, to) . . . of A is initial iff Vq f= /a. I 

B. Generalized Biichi TAs 

Suppose we are given a TA A. An event-predicate is of 
the form T)\ar\i. Here 771 and 772 are two state-predicates in 
M(Pa,Xa) respectively for the precondition and the post- 
condition of the event, a G £^ is an event name. Event- 
predicate "7/10772" specifies the observation of event a with 
precondition 771 and post-condition 772. 

In this work, we allow fairness assumptions either as state- 
predicates or as event-predicates. A state fairness assump- 
tion is in M(Pa,Xa)- An event fairness assumption is an 
event-predicate of A. Given two sets $ and ty of fairness 
assumptions, $vT/ denotes a multi-fairness assumption (MF- 
assumption) for A. All elements in $ are called strong 
fairness assumptions while all in \P are called weak fairness 



assumptions. A run (v , e , t ) . . . (v k , e&, t k ) ...of A satisfies 
<&\I/ iff the following constraints hold. 

• For every state-predicate 77 G $, there are infinitely 
many fc's such that for some t G [0, tfc+i — tfc], v k +t \= -q. 

• For every event-predicate 7710772 in $, there are infinitely 
many fc's such that v h + (t h+1 -t h ) (= 771, a € e A (e h+1 ), 
and u h+1 (= 7/ 2 . 

• For every state-predicate 77 G \&, there is a fc such that 
for every h > k and £ G [0, t/ l+ i — i/j], 1^ + 1 \= r/. 

• For every event-predicate r\\ar\i in 4 1 , there is a fc such 
that for every h > fc, if i//, + (i^+i — ifc) H ? 7i an d 
a e e./t(eft+i), then v h+1 |= 77 2 . 

Given a TA ^ and a state t/ G §(.4), we let Sl^(^, $*) denote 
the set of runs of A from v satisfying $^>. The following 
definition shows how to formally model real-time systems with 
fairness assumptions. 

Definition 4: GBTAs and BTAs A generalized Biichi TA 
(GBTA) is a pair (A, $*) with a TA A and an MF-assumption 
$^. If |$| + |#| < 1, the pair is also called a Biichi TA (BTA). 



Example 5: 
a GBTA 



For the model A4 in figure [TJ a), we may have 



(M, {waiti, frae?serve@(2)idlei}0) 

that assumes Ai should stay in location waiti infinitely many 
times and event serve should be received by Ai infinitely 
many times with post-condition idlei. 
We may also have the following GBTA 

(A^,0{sto Pl }} 

that assumes that M. should eventually stabilize in location 

stopi. ■ 

IV. Simulation of GBTAs 

Suppose we are given two TAs A, B. For any transitions 
e G Ea and / G Eg, e and / are compatible iff e^(e) = 
£ b(/) 7^ 0- That is, the observable events of the two automatas 
on the two transitions must be nontrivially identical. For each 
e G Ea with 6.4(e) 7^ 0, we use Eg to denote the subset of 
Eg with elements compatible with e. For each e G Ea — {^-} 
with 6.4(e) = 0, E { g ] = {±}. Also, E^ denotes the subset 
of Eg with elements / such that eg(/) = 0. 

In this section, from now on, we assume the context of 
two GBTAs (M,$ m ^m) and (S, $5*5) respectively for 
the model and the specification. 



Given a state p of M and a state v of S, we use pv to 
denote the state-pair of p and v. Operationally, pv can be 
viewed as p o v, the functional composition of p, and v. A 
play between AA and 5 is made of two matching runs, one of 
AA. and the other of S. Conceptually, it is a sequence 

(Mo^o,eo/o,*o) ■•■ (p-kVk,e k f k ,t k ) ... 

of triples with the following restrictions. 

• (no, e , i ) • • • (Mfc, efc, t k ) ... is a run of M. For conve- 
nience, we denote this run as runj^(p). 

• ("o, /o, t )... (v k , fk, tk) ... is a run of S. For conve- 
nience, we denote this run as runs(p). 

• For each k E N, f k E E ( g h) . 

The play is initial iff po |= /» and z^o \= Is- A play prefix 
is a finite prefix of a play. Given a play p, we let pW be the 
prefix represented as the sequence of the first k + 1 elements 
of p. 

Given a run (prefix) 

9 = (p ,e ,t )...(p k ,e k ,t k )... 

of AA. and a play (prefix) 

P = (fiovo, eo/oj to) ■ • ■ (m/i^/ii &hfh, ih) ■ ■ ■ 

between AA and S, we say p embeds 9 iff there is a mono- 
tonically increasing integer function 7Q such that 7(0) = 



e k , t 



7 (fc) 



t k , 



and for each k E N, /x 7 (fc) = /ife, e 7 ( fe ) 
and for each /i e (j(k),-f(k + 1)), g/j =_L. Notationally, we 
let p [>m 9 denote the embedding relation between p and 9. 
Similarly we can define p \>$ 9' for the embedding relation 
between p and a run 9' of S. 

A strategy in a game tells a TA what to execute at a 
state-pair in a play that is developing. Specifically, a strategy 
a for 5 is a mapping from play prefixes of AA and 5 
to event sets of S5. Symmetrically, we can define strate- 
gies for AA. Given a strategy a for S and a play p = 
(/^o, eo/o, io) ■ • ■ (Mfc^fc, efe/fe, <k) . . . between A4 and 5, we 
say that p complies to er iff the following constraints are 
satisfied. 

• For each k E N and t E [0, t k+1 - tk), 

v(p {k) ((pk + t)K + 1),±±, t k + 1)) =±. 

• For each k E N and t = ifc+i — ^fe with either t k +2 — 
tfc+i > or / fc+ i ^_L, 

o-(pW((/«fc + i)K + *), 1-L, i fc+ i)) = / fc +i. 
Similarly, we can also define the compliance of plays to 
strategies of A4. Given a state-pair pv E §(A / f) x S(S), a run 9 
of Ai from /x, and a strategy a of <S, we let p = play(pi>, 9, a) 
be the play (prefix) from /xi^ with the following restrictions. 

• p complies to a. 

• If p is of infinite length, then it embeds 9. 

• If p is of finite length, then there is a finite prefix 
9 = (po,e ,t ) ... (p k ,e k ,t k ) of 9 with the following 
restrictions. 

— p embeds 9. 

— Any prefix of 9 that supersedes 9 is not embedded by 

P- 
Note that it may happen that play(pv, 9, a) is of only finite 
length. This can happen when at the end of the finite play, 





Fig. 2. A simulation game with winning strategies of hA that need memory. 



a player chooses a transition with an event set that the other 
player (opponent) cannot choose a transition to match. This 
can also happen when at the end of the finite play, a player can 
only execute matching transitions with post-condition falling 
outside the invariance predicate. 

Definition 5: Simulation of GBTAs A simulation F of 
(M^m^m) by (5, $5*5) is a binary relation F C 
S{M) x §(<S) such that for every pv E F and every run 
9 of M. from p that satisfies Qm^m, there exists a play p 
from pv such that p embeds 9 and rung(p) satisfies $ < s , 3> < s. 

We say that (S, $5*5) simulates (M,^m^m), m sym- 
bols (M,^m^m) <x (<S,$<s *s), if there exists a simula- 
tion F of {M^m^m) by (5, $5*5) such that for every 
p \= Im A Vm, there exists a 1/ |= Jg A Vs with pv E F . ■ 

Example 6: For the TAs in figure [1] we have that (<S, 00) 
does not simulate (.M,00). Also, (S, {truelservetrue}®) 
does not simulate (.M,0{stopi}). However, (5,00) simu- 
lates (M, (waiti}0). ■ 

If (5, $5*5) simulates (.A/f, ^a-i'I'.m), then for all initial 
states p and runs 9 of .M from // satisfying 'I'jVi^x- there 
exists a strategy a such that play(pv 7 6, a) satisfies $5^5. We 
call such a a a simulating strategy for # by S. 

If (5, $5*5) does not simulate (M, §m^m), then there 
exists an initial run 9 of M. such that 9 satisfies ^m^m an d 
for all initial states v and all strategies a of S, all initial runs 
of S embedded by play(pv,9,a) do not satisfy $5^5. We 
call such a run 9 a refuting run of .M. 

A strategy a of a TA S is memory-less iff for any two 
plays /j and p' that end at the same triple, a(p) = cr(p'). It 
is well known that parity games and reachability games all 
have memory-less winning strategies for either player ifTTI . 
The following lemma shows that the simulation of GBAs may 
need finite-memory refuting strategies. 

Lemma 7: There is a simulation of GBAs with a simula- 
tion strategy for the specification but without a memory-less 
simulation strategy for the specification. 
Proof : In figure |2] we have the TAs of two GBAs 
{Ai, {mo, mi}0) and (S, {s\, S2}0)- Suppose we have a state- 
pair pv with modex (/1) = mo and modes (^) = s o- As 
can be seen, for any memory-less strategy a, either transition 
(so, si) will always be chosen for any initial play prefix that 
ends at pv or transition (sq, S2) will always be. But such plays 
do not satisfy the strong fairness assumption of (S, {s\, S2J0) 
and cannot be used to fulfill the strong fairness assumptions of 
S. Thus we know there is no memory-less simulation strategy 



for (5,{si,a 2 }0>. 

On the other hand, we can devise a strategy for S that 
chooses (so,si) and (so: s 2) alternately. It is clear that such 
a strategy fulfills the strong fairness assumptions of {si,S2}. 



V. Characterization of USF-simulation 

In this work, we focus on characterization of the simulation 
of a model GBTA by a specification BTA. That is, we restrict 
that the specification (<S, $5*5) is a BTA with \$s\+ |*s| < 
1. 

For convenience, given an MF-assumption $4* and a play 

P = (w> v o,eofo,to)---(fikVk,ekfk,tk)--; we may also 
define the satisfaction of $*& by p in a way similar to the 
satisfaction of $4* by runs. 

According to definition [5] a state-pair pv is not in any 
simulation if there exists a run 9 of Ai from p, satisfying 
®M^M, such that for every strategy a for S and play p from 
pv complying to a and embedding 9, p does not satisfy $5^^. 
Put this description in a structural way, we have the following 
presentation. 

(p starts a run 9 of M satisfying §m^m) 

p starts from pv and embeds 9. 

=>• p does not satisfy $5^5. 

According to the composition of $5^5, this can be broken 
down to cases described with the following four lemmas. 

Lemma 8: In case $5 = {77} for a state-predicate 77, a 
state-pair pv is not in any simulation of (Ai, &m^m) by 

(5, $5*5) iff 

(p starts a run of M satisfying <&m^m) 
, . I p starts from pv and embeds 



A Vp 



y => p satisfies $ M (^M U {~'»7}) v 
is true. 

Proof : According to the argument in the beginning of the 
subsection, we only have to prove that the following two 
statements are equivalent in the context that p embeds 9. 

• p does not satisfy {r?}0. 

• p satisfies §m(^M U {~ [ i]})- 
Assume that 

P = (mo^Oi e /o, to) • • ■ (Pk^k, ekfk, tfc) ■ • ■■ 

We can prove this equivalence in two directions. 
(=>) We assume that p does not satisfy {r;}0. According to 
the definition of strong fairness, we know that there are only 
finitely many fc's with ate [0, t^+i —tk] such that p k v k +t \= 
77. We let m the maximum of such fc's. Then it is clear that 
for every h > m and t £ [0,th+i — tu], p>h v h + 1 Y= r\. This 
means that p satisfies ${-^r\\. Then the embedding of 9 by p 
implies that p satisfies ^m(^m U { _i »7})- 
(<*=) We assume that p satisfies ^m(^m U l -1 ^})- Then ac- 
cording to the definition of weak fairness, we know that there 
exists an m such that for every h > m and t £ [0, th+i — i/i], 
PhVh+t \= ~<T}- Thus it is not true that there are infinitely many 
fc's with a t £ [0, tfc+i — t k ] such that p k v k + t \= r). According 
to the definition of strong fairness, p does not satisfy {r?}0. 

With the proof of the two directions, we know the lemma 
is proven. ■ 



Lemma 9: In case $5 = {7710772} for an event- 
predicate 7710772, a state-pair pv is not in any simulation of 
(.M,$m*m) by (S, $5*5) iff 

(p starts a run of .M satisfying $» "I^ ) 
'p starts from pv and embeds 0. 

> p satisfies §m(^m U {7710-1772}). 
is true. 
Proof : Suppose we are given 
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p = (poVn,e fo,t ) ■ . ■ (pk^k,ekfk,tk) ■ ■ ■■ 

The proof is similar to the one for lemma [8] except that we 
need to show that for a fc > 0, the equivalence between the 
following two statements. 

• Itisnottruethat (/Ufc+tfc + i-tfe)(z/fc+tfc + i-tfc) hli. 
a £ e M n es, and p k+ iv k+1 \= %■ 

• If (p k +t k+1 -t k )(v k +t k+ i-t k ) \= 771 and a £ e M r\e s , 
then p k +iv k+ i \£ 772 . 

This equivalence follows from the semantics of propositional 

logic. By treating the event-predicate as a state-predicate, we 

can prove the lemma as we have proved lemma [8] ■ 

Lemma 10: In case ^>g = {77} for a state predicate 77, a 

state-pair pv is not in any simulation of (Ai, &m^m) by 

(<S,$s*s) iff 

(p starts a run 9 of M. satisfying ^m^m) 

, , I p starts from pv and embeds 9 
AVp( p .. „ ^, x , , , 1N . T . 



AVp 



y => p satisfies ($7^ U {-177})*^. 
is true. 

Proof : By replacing p with -177, we can use a proof similar 

to the one for lemma [8] for this lemma. ■ 

Lemma 11: In case ^5 = {7710772} for a state predicate 77, 

a state-pair pv is not in any simulation of (Ai, &m^m) by 

(S,$s*s) iff 

(p starts a run 6* of .M satisfying $m^m) 
p starts from pv and embeds 6*. 

=>■ p satisfies ($jk U {^la-^})^^- 
is true. 

Proof : By replacing 7710772 with 7710-1772, we can use a proof 
similar to the one for lemma [9] for this lemma. ■ 

For convenience, given two sets A and A' of fairness 
assumptions, we let (A-A') denote 

A U {-.77 I 77 £ A'} U {7710-.772 I 7710772 £ A'}. 

According to lemmas [§] |9] [10] and QTJ we conclude with the 
following lemma. 

Lemma 12: In case $5 + \$ s\ < 1> a state-pair p;y is not 
in any simulation of (A4,$m^m) by {S, $5*5) iff 
(p starts a run of A\ satisfying ^m^m) 
' p starts from pv and embeds 9. 

p satisfies ($a^-'* < s)( , I'.m-'$s)- 
is true. 

A procedure to construct a formula for states p that starts a 
run of AA. satisfying ^>m^m can be found in E5l . Lemma fl2l 
suggests that we still need to implement a procedure that con- 
structs formulas for state-pairs that start all plays p satisfying 
the following constraints. 
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p starts from pv and embeds 9. 
=> p satisfies ($x-* <s )(*x-$5)- 
Such a play p eventually stabilizes into a cycle of state-pairs 



along which each assumption in ($m^*&s) is satisfied once 
and all assumptions in (^m^&s) are satisfied throughout the 
cycle. The following definition characterizes state-pairs in such 
a cycle. 

Definition 6: CSR A state-pair pv is CSR (Cyclically 
simulation-refuting) with (&m^ 1l &s)( 1 &m^&s) iff f° r every 
<fi E (^m^^s), there exists a run 8 of Ai with the following 
two constraints. 

CI: For every strategy a of S with p = play(pv, 9, a), if 

p is of infinite length, then the following four constraints 

are satisfied. 

CI a: All state-pairs along p satisfy state-predicates in 

Clb: All transition-pairs along p satisfy event-predicates 

in (^m^s)- 
Clc: For every state-predicate r} in (^m^^s), there is 
a CSR state-pair in p satisfying r\ in more than 1 time 
units from the start of p. 
Cld: For every event-predicate r\ in (?&m~^s\ there is 
a transition-pair in p satisfying i] in more than 1 time 
units from the start of p. 
C2: There exists a strategy a of S with an infinitely long 
play (his, 8, a). 
The 1 -time-unit requirement at condition Clc is for making 
sure that the play is non-Zeno. 

A state-pair pv is inevitably SR (ISR) with 
(^m^^s)(^m^^s) iff there exists a run 9 of M 
from p such that for all strategies a of S, if play(pv, 9, a) is 
infinite, then play(pv, 9, a) visits a CSR state-pair. ■ 

The following lemma is important for our algorithm devel- 
opment. 

Lemma 13: Suppose we are given a GBTA Ai and a BTA 
S. For any state-pair pv e §(.M) x S(S), the following two 
statements are equivalent. 

Rl: p starts a run 9 of Ai satisfying $m^m an d 
for all plays p from pv embedding 9, p satisfies 

{®m^s){^m^s)- 

, and a p! e §{M) 



B>0 



R2: There exist an e € E_m, a t 
with the following constraints. 
R2a: p —^ p! . 
R2b: p! starts a run satisfying ^m^m 



R2c: 



/ e E. 



(<■■) 

s 
is 



and 



an ISR 



E §(S) with 
state-pair with 



For every 

/if — > p v , // ^ 

($M-*<s)(*M-$s). 
Proof : We prove the lemma in two directions. 
(=>) We assume that Rl is true. Conditions R2a and R2b are 
automatically true since 9 must begin with a timed transition 
step p -^ p! for some t E R-°, e E E M , and p! G S(M). 

As for condition R2c, we establish it in the follow- 
ing. The truth of Rl means that for every strategy a of 
S, if p — play(pv, 9, a) embeds 9, then p must satisfy 
(^m^^s){^m^^s)- This means that there exists a b G R-° 
such that for every such infinite p, after b time units from the 
start of p, all predicates in (^m^^s) are satisfied and all 
predicates in (Qm^^s) are satisfied infinitely and divergently 
many times. If such a b does not exist, then we can construct 
a play that violates (&m^ 1 &s)('&m^®s) an d the assumption 



of Rl. We claim that all state-pairs pv happening after b time 
units from the start in all infinite plays are CSR state-pairs in 
definition [6] The reasons are the following. 

• Since pv happens b time units after the start of the play, 
it must satisfy conditions Cla and Clb in definition [6] 
Moreover, along every infinite play from pv, for every 
predicate r\ in ($>m^^>s), there are infinitely and diver- 
gently many state-pairs or transition-pairs that satisfies rj. 
Thus we can find the first state-pair pv in the tail with 
the following restrictions. 

— pv is at least one time unit from the start of the play. 

— Either pv satisfies 77 as a state-predicate or the 
transition-pair right before pv satisfies 77 as an event- 
predicate. 

This implies that conditions Clc and Cld in definition [6] 
are satisfied at pv. 

• The assumption that leads to the satisfaction of 
(^M^^s)i^M^^s) by P then implies that there exists 
such a play. This implies that condition C2 in definition [6] 
is satisfied. 

The argument in the above establishes that pv is indeed a CSR 
state-pair. Thus we know that along every infinite play from 
p'v' , we can reach such a pv. This implies that p'v' is an 
ISR state-pair and condition R2c is satisfied. Thus the lemma 
is proven in this direction. 

(<=) We assume that R2 is true. This implies that there exist 
an e G E M , ate R-°, and a pi G S{M) with p -^ pi and 
pi starting a run satisfying $m^m- There are two cases to 
analyze. 

• By letting 9 start with (p, _L, 0)(//, e, t) and followed 
by the tail from pi that satisfies ^m^m^ we deduce that 
p also starts a run 9 that satisfies &m^m- 

• Then for all strategies a of S with p = play(pv, 9, a), 
we can go to an ISR state-pair p'v' with 
($m^s){'^m^s)- This implies that for all infinite 
plays from p'v', we can visit a CSR state-pair pv. Then 
according to the definition of CSR state-pairs, for each 
predicate -q G (^m^^s), we can go from pv along a 
play with all state-pairs and transition-pairs satisfying 
the predicates in (^m^^s)- Moreover, the play visits 
a CSR state-pair pv that either satisfies 77 as a state- 
predicate or satisfies with the transition-pair immediately 
before pv as an event-predicate. Since pv is also CSR, 
we can then repeat the same argument to fulfill another 
predicate assumption in (&m^^s)- By repeating this 
procedure for all predicates in ($m^^s) infinitely 
many times, we can construct every infinite plays from 
pv that embeds 9 mentioned in the last item. This 
construction then leads to the conclusion that all plays 
from pv embedding 9 satisfy ($m^'^s)('&m^®s)- 

This completes the proof of this direction. Since both direc- 
tions of the proof are done, we know the lemma is true. ■ 
Lemma [13] suggests the development of evaluation algo- 
rithm for CSR state-pairs for the solution of USF-simulations 
of GBTAs. In the following, we explain how to do this. 



VI. A SYMBOLIC ALGORITHM FOR USF-SIMULATION 

In this work, we focus on the simulation algorithm for a 
model GBTA by a specification BTA. Our algorithm is based 
on the construction of formulas for CSR and ISR state-pairs. 
In the following, we assume the context of a model GBTA 
(M, ^m^m) and a specification BTA (S, ^s^s}- 

In subsection IVI-AI we present some symbolic procedures 
from model-checking technology of dense-time systems as 
our basic building blocks. In subsection IVI-BI we present 
algorithms for state-pairs that can be forced to a goal in 
one timed transition step. In subsection IVI-CI we use the 
procedures in subsection IVI-BI to construct a algorithms for 
state-pairs that can be forced to a goal in zero or more timed 
transition steps. In subsection IVI-DI we present the algorithm 
for simulation-checking. In subsection IVI-EI we analyze the 
complexity of our algorithm. 



those state-pairs pv with the following restrictions. 

• pv starts an 771 -PPrefix p that ends at a state-pair 
satisfying 772. 

• Along the p mentioned in the above, all the transitions 
are of the form (_L, /) with / G Eg~\ 

Following the techniques in lfl5l . l24l . we can construct a for- 
mula in M(Pm U Ps, Xm U X$) that characterizes state-pairs 
satisfying 3r\\Us'q , i- Specifically, the formula is as follows. 



3 m Usm = UpZ [rj 2 V T [rn, V /eB u-> f( z ) 

Here lfp is the least fixpoint operator and ttpZ(/3(Z)) repre- 
sents the smallest solution to Z = j3(Z). 

Another type of formulas that we want to use is for states 
fx of M that start runs satisfying $m^m- We denote this 
formula as 3D^ m^m f° r convenience. The construction of 
this formula can be found in 



A. Building blocks from model-checking technology 

In this subsection, we adapt procedures for TCTL model- 
checking 121 for the evaluation of simulation-checking. 

Given a formula 77, a run prefix (/i , eo, to) . . . (pk, e k , tk) 
of M. is called an -q-RPrefix if for every h G [0, k) and 
t G [0,th+i — th], ph + t \= V- Similarly, a play pre- 
fix (p v , eo/o, to)-.- {HkVk, e k fk, t k ) of M is called an 77- 
PPrefix if for every h G [0, k) and t G [0,th+i — th], 

HhVh + t \= 1]. 

Given a state-pair set D, we let 3S(D) — {p \ pv G 
D}. Given a TA S with P$ = {pi,. . . ,p m } and X$ = 
{x\, . . . ,x„}, we let 35(?7) be the following formula. 

3pi... 3p m 3xi . . . 3x n (77). 

Also given a set P = {pi, ■ ■ ■ ,p m } an d a set X = 
{x\, . . . , x n }, we let reset[P, X](rf) be the following formula. 

3pi . . . 3p m 3x 1 . . . 3x n (77 A f\ xeX x = 0). 

Standard procedures for constructing state-predicates of exis- 
tentially quantified formulas can be found in lfl5l . lF24l . 

Given a transition-pair ef G Em x Eg with e = (qi,q[) 
and / = (q2,q' 2 ), we let 6/(77) be the formula of state- 
pairs that may go to state-pairs in 77 through the simultaneous 
execution of e and / respectively. Specifically, ef(rj) is defined 
as follows. 

/ q x A q 2 A X M (Qi) A A 5 (q 2 ) A T M (e) A r 5 (/) N 

\Areset[P M UP S ,X M U X s ] (^A^^)^ 

We also need the formulas for the precondition of time- 
progress to a state-pair satisfying 772 through intermediate 
state-pairs satisfying 771. Procedures for such formulas can be 
found in fl3), G3), EH), ED. We present the formula, denoted 
7(771,772), for the readers' convenience in the following. 

/ t > A 772 + t 

\AVt'((t' < t A H > 0) -s- 771 + t') / 

Here 77 + 1 represents a formula obtained from 77 by replacing 
every clock variable a: in 77 with x + t. 

We use adapted TCTL formulas 3r\\Usf]2 in our presen- 
tation of the algorithm. Specifically, 3r\\Usr\2 characterizes 



771 A3t 



B. One-step timed inevitabilities by A4 

Given a set D of states (or state-pairs), we use ((D)) to 
denote a formula that characterizes D. Given a formula 77, 
we use [77] to represent the set of states (or state-pairs) that 
satisfies 77. Given an e G Em, a set ^ of event weak fairness 
assumption, and a t G R-°, we use (A / t)DiQf 5! D 2 to denote 
the set of state-pairs pv with the following restrictions. 
K'h: There is a ((3S(L>i)))-RPrefix 

t e 

(p,,±,to)([p -^},e,t + t ) 
with the following two restrictions. 

t e 

— [p — '—)] is in 3S(D 2 ) and satisfies 3D^>m 1 ^'m- 
M 2 : For every ((Di)) -PPrefix 

(/io^o,e /o,^o) • • ■ (^k^k,ekfk,tk) 
with 

— PqV = pv, 

— tk — h = t, 

— e k = e, and 

— V/7G [0,k)(e h =±), 

— For every event weak fairness assumption 7730774 G ^, 
if a G ex(e) and p (= 773, then [p —^] \= 774. 

PkVk is in I?2- Note that in the just-mentioned ((Di))- 
PPrefix, the strategy of S can only use the internal 
transitions of S. 
We can use the following TCTL formula to help us character- 
ize (M)Di Of -^2- Given two state-predicates 771,772, and a 
set ^ of event formulas for weak fairness assumption, we let 
Oa? (Vit^) be defined as follows. 

/ z = Cg l /W/ feE pef{-*i2) \ 

AA TO «74 s *, ^(% A e'f'i^i)) 



A^3rpU s 



\ 



\ 



e 6 -E.M, 
a G ejw(e') 



/ 



Here z is an auxiliary clock variable not used in J^ U Xg. 
The conjunction 



' ^main&^^'£E M M£e M (e')J'£E l / } 



iffy A e'/'(-iM)) 



in the post-condition is used to make sure that no event weak 
fairness assumptions in \P is violated. It is used to eliminate all 
state-pairs violating an event weak fairness assumption. The 
following lemma shows how to use the above formulas to help 
us evaluating (M)Di Of D 2 . 

Lemma 14: For every [iv, e = (q, q 1 ) G Em, t G [0, C^ 1 ], 
formulas 771 , 772 of state-pairs, and a set *& of event weak 
fairness assumptions, [iv G (A^)[r7i] Of* D72] iff 
IM,\=Bz(t = Cg i -zAO M '(r h ,r l2 )). 
Proof : We can rewrite condition M 2 of (M)lrjij Of* [%] 
as follows. 

M 2 . There is no j/i-PPrefix 

(/j ^o, e /o, £0) • • • (p-kVk, e k f k , t k ) 
with 

- 7^0 = V-v, 

- tk — h = t, 

- Vhe [0,k)(e h =±), 

- i^kVk^ V2, and 

- for every 7730774 G *£> and e' G E.M, a £ e >t(e), and 

0,e'/' 



/' e-E 



<<■') 



it is not true that [/ik-i^k-i \= ~f]±- 



It is clear that a state-pair satisfies Mi and M 2 if and only if 
it satisfies M\ and M 2 . By renaming to as a clock variable z 
and tfe as constant Cg 4 , we can use Cg 1 — z to represent t. 
This means that Mi and M' 2 can be rewritten as z = Cg 4 — t 
and the following two conditions. 

Mi: There exists an 35 (771 )-RPrefix 

( M ,± )Z )([ M ^^f4],e,C^) 

C M -z e 

with X, [/j s - > ] \= 35(772) A 3D$ A1 *. M . 
Mj: There is no 7/i-PPrefix 

(/io^o,e /o,^o) • ■ • (fJ>kVk,ekfk,tk) 
with e fc = e, V/i G [0,fc)(e/, =_L), /io^o = /^, Mfe^fe (= 
-1772, and for every 7730774 G $ and e' G -E^f, a G £jVf (e), 

and /' G -Eg , it is not true that [/ik-i^k-i 1 ~^} \= 
-.774. 



i\/. 



means the following. 
^\=T(3S( m ),z 



_ C M Ae ( 35M 



M^M 



M 2 means the following. 

MisaiM e », "-fas A e'/'f-u/*)) 



//i/ |= ->3rjiU s 



\ 



a G eju(e')i 



/ 



Combining these two formulas together and reduce them with 
the definition of Oa? (vi^te), we find that \iv must satisfy 
t = Cg 4 — z A Oa^C^I) r l2)- Thus the lemma is proven. ■ 
Based on lemma [T4l we can define the following notations 
for those state-pairs that can be forced into either certain desti- 
nation or a transition of M that S cannot match. Specifically, 
we let 



(M)D 1 O* D 2 £ Uee 



i0 (M)D 1 QfD 2 



'e£E M ,t& 

Correspondingly, given two formulas 771 and 7/2, we can 
construct M (j]i,ri 2 ), defined as follows. 



OUm,V2)"y eeEM 3z(o^( m , m )). 

Then according to lemma [T4l we can establish the following 
lemma. 

Lemma 15: For every pv G §(A4) x §(<S), formulas 771,772 
of state-pairs, and set *? of event weak fairness assumptions, 

ixv g (M)[77i] 0* M iff t»> h OXi (vi,m). 

Proof : We have the following deduction. 

^G(X)[77i]0*M 

=^ ^UeeE M ,tmMM)D 1 Of D 2 

=\feeE M ,tm>o^^(M}D 1 OfD 2 

According to lemma [l4l this implies the following. 



^V 



e£E M ,t& 



>o IXV |= 3z 



t 



cp 



\leeE M V v H V tGR >o 3z 



AO^(r?i,r? 2 ) 

t = C^ 1 - z 



E V eejEA1 m^ h 3z V 



/en 



AOaH^'H 

AO$fai,»te) y 



Since OJmC 7 ? 1 ' 7 ? 2 ) does no * contam variable t, the above 
formulas are equivalent to the following. 



^V 






c^ 



( (V tf *>ot = C$ i -z) 

— z is a tautology, we have the 



Since N/tei 
following. 

^JeeE M A*" h 3z (OS? (%.%)) 

=a^ hOXtC 7 ?!'^) 

The last step is from the definition of M (r]i,r] 2 ). Thus the 
lemma is proven. ■ 

Note that before the fulfillment of 772, Oai( 7 ? 1 ' 7 ? 2 ) ^ s 
satisfied with play prefixes with only transitions internal to 
S. 

C. Multi-step timed inevitabilities by M. 

In general, we want to characterize state-pairs from which 
M. can force the fulfillment of 772 through zero or more timed 
transition steps of Ai that do not violate the weak fairness 
assumptions in vp. We denote the set of such state-pairs as 
(.M)[[t7i]W [772!- For convenience, given two formulas 771,772 
for sets of state-pairs, we let 

U M (vi,V2)=lfpY( V2 VO M ( Vl ,Y)) 

Here lfp is the least fixpoint operator. lfpF (772 V M (r]i, Y)) 
specifies a smallest solution to equation Y = 772V0*/i( r ?:L> Y). 
The procedure to construct formulas for such least fixpoints 
can be found in ifBl. E4l. 

Lemma 16: For every state-pairs [iv and formulas 771, 772 for 
state-pairs, \w G {M)\r\{^ \r\ 2 \ iff [iv |= U M (r)i,r) 2 ). 
Proof : We can prove this lemma in two directions. 
(=>) We assume that pv G (7W)[77i]W*[77 2 ] is true. We can 
prove this by induction on the maximum number n of timed 
transition steps of M to reach state-pairs in [772] through state- 
pairs in [771]. In the base case, n = and [iv G [772]. Then 
it is clear that jiv also satisfies every formula of the form 



f]2 V Om(vitY). Thus, \xv \= W^j (771,772) in the base case 
and the lemma is proven. 

Now we assume that this direction of the lemma is true 
for every state-pairs with maximum number no greater than 
k with k > 0. Now we have a state-pair \w with maximum 
number k + 1 of timed transition steps to reach state-pairs in 
[772 1 through state-pairs in [771]. This implies that there exist 
an e G E M and ate R-° with 

w\=(M)[m]0?((M}lmW*lm]). 

This means that in one timed transition step of e and t time 
units by M., we end up in a state-pair fj/t/ such that within k 
timed transition of M steps through state-pairs in [771], we can 
go from n'v' to state-pairs in [772]- According to the inductive 
hypothesis, we know that \j!v' satisfies U M (r)i, 772)- Together, 
this implies the following deduction. 

= ^\=Oli(rii,HpY(ri2,0%i(rii,Y)) 
According to the definition of least fixpoint, the last step im- 
plies fiv |= lfpy (772, OXi C 7 ?!' Y))- By definition, this implies 
that /iv \= U m (t\\ 1 t\2). Thus this direction of the lemma is 
proven by induction. 

(<=) We assume that there exist Yq, Yi,...,Y n such that Yq = 
V2, Y n = 772 V OXiiviiYn), and for every i G [0, 71), Y l+1 = 
772 V 0%i(Tli>Yi). We prove by induction on k G [0,n] that 
\xv \= Yfe implies [iv G (J\4)\rii\U [772]. The base case is 
that k = and [iv |= 772. This implies that \w G [772] and 
[iv G {M)\f]i\U [772]. Thus the base case is proven. 

Now we assume that the lemma in this direction is true for 
all i G [0, k]. Now we have a fiv |= Yfc+i. This means that 
\iv \= 772 V OXl (Wi'Yk). There are two cases to analyze. The 
first is [iv \= 772 and coincides with the base case. Thus the 
first case is already proven. 

The second case is [iv |= 0%i(i]i,Yk). According to 
lemma [14] this implies that we can force in one timed 
transition step through state-pairs in [771] to state-pairs /jV 
in [Yfc]. Moreover, the inductive hypothesis says that all 
such \x'v' G {M)r\\U 772. According to the definition of 
(M.)-!]^^ r/2, this implies that fiv G (M) 771^*772. Thus the 
lemma is proven in this direction. 

Thus the lemma is proven. ■ 

D. Simulation checking algorithm 

Our plan is first to use the procedures in subsections IV1-AI 
IVI-BI and IVI-CI to construct a procedure for evaluating CSR 
state-pairs. Then we use this procedure to evaluate ISR state- 
pairs. For convenience, we denote 



SPf =V M AV S A 



jM 



A 



state-predicate ipdL^M^&S 



</' 



Conceptually, SP S denotes the state-predicates that a play 
satisfying (^m^'^s)('^s~'^m) must stabilize with. Also we 
let EPg 1 be the set of event-predicates in (^m^^s)- For con- 
venience, we also let $ = ($m^s) and * = (\& S -,$> M ). 

We present a greatest fixpoint characterization, denoted 
UFg 1 ^), of the CSR state-pairs with an MF-assumption $*. 
A state-pair [iv satisfies UFg 1 (77) if there is a fair run from /j 



such that all plays embedding the run from [iv cannot be fair 
for S. The characterization follows. 



UP 



•M Sf 



gfpw. (a 






(sp¥,(wa4>)) 



Here gfp is the greatest fixpoint operator. gfpVF. (j3(W)) is 
a largest solution W to W = /3(W). The procedure to 
construct formulas for greatest fixpoints can be found in lfl5l . 
Il24l . The following lemma establishes the correctness of the 
characterization. 

Lemma 17: A state-pair [iv is CSR with 

(^m^s)(^s^m) iff ixv h UFg 1 - 

Proof : Following definition |6] lemma [16] the definition of 
SPg , and the semantics of greatest fixpoint, UP'g 1 is actually 
a rewriting of the CSR definition with logic formulas, the 
greatest fixpoint procedure, and the U M {) procedure. Thus 
the lemma is proven. ■ 

Now we use UFg to evaluate ISR state-pairs. Given a fair 
run 9 of M., there are two classes of ISR state-pairs. The 
first class contains state-pairs that start no play embedding 
8. The second class contains state-pairs with a strategy S 
to drive a play to stabilize to CSR state-pairs. The former 
can be evaluated with the traditional procedures for branching 
simulation (8), ll23l . Il32l . Specifically, state-pairs is in the first 
class can be characterized with the following lemma. 

Lemma 18: A state-pair [iv is a 

first-class ISR state-pair iff jjlv \= 

' T{V M AV S ,V M A^V S ) \\ 



W M [VmAVs, 



vv 



e£E M ,f£E 



w ef(V M A -,V S ) 



Proof : [iv is first class iff for all strategies a of S, 
play([iv, 8, a) is of finite length. There can only be two 
causes for the termination of the plays. 

• Along a time progress operation, M. moves to a valid 
state while S cannot. This is captured by formula T(Vm A 
Vs,V M A^V s ). 

• At a transition e by A^, no compatible / G Eg can 
result in a valid state of S. This is captured by e/(Vyn A 
->Vs). 

If and only if A4 can drive all plays to state-pairs with these 
two causes, then it is clear all plays are finite in length. Thus 
the lemma is proven. ■ 

The state-pairs in the second class can be forced into infinite 
plays that stabilize in CSR state-pairs. Specifically, we have 
the following lemma. 

Lemma 19: A state-pair [iv is a second-class ISR state-pair 
iff fMV \=U $ M (V M AV S ,UF^). 

Proof : This lemma follows from the definition of the second 
class state-pairs, lemma [TBI and lemma fFT] ■ 

Combining lemmas [T3l[T8l and [19] we present the following 
lemma for the characterization of state-pairs that is in no 
simulation of a GBTA by a BTA. 

Lemma 20: A state -pair /.iv is in no simulation of a 

GBTA (M^m^m) by a BTA («S,$ 5 * 5 ) iff \xv satisfies 

' T(V M AV S> V M A^V S ) \\ 
erther U M \V M A V Sl [ y y e/( ^ A ^ 



e£E M JeE K s 



■U $ m (VmAVs,UF£ 
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E. Complexity 

The complexity of our algorithm relies on the implemen- 
tation of the basic manipulation procedures of zones. Like in 
02), we argue that we can implement the formulas as sets 
of pairs of proposition valuations and regions (2). In such 
an implementation, basic operations like subsumption, inter- 
section, union, complement, time progression, and variable 
quantification can all be done in EXPTIME. 

Lemma 21: Proper implementations of the formulation in 
lemma [20] can be done in EXPTIME. 

Proof : According to (2), a zone can be implemented as a 
set of regions. The number of regions is exponential to the 
input size of (M, §m^m) and (S, $5^5). All precondition 
calculations need at most polynomial numbers of region set 
operations and can all be done in EXPTIME. The numbers 
of iterations of the least and greatest fixpoint procedures are 
at most the number of regions. Thus, summing everything up, 
we conclude that our algorithm can be executed in EXPTIME. 



VII. Simulation-checking against a shared 

ENVIRONMENT 

In real-world, we may usually want to check whether a sys- 
tem component satisfies its specification. In such a context, the 
simulation-checking is carried out against the same behavior of 
the environment of the component. Such a context can usually 
make room for verification efficiency if we carefully represent 
the common environment state information. In this section, 
we extend the simulation defined in section [IV] to simulation 
of a model by a specification against a common environment. 
Then we propose a technique to take advantage of the common 
environment information for simulation-checking efficiency. 

In figure [3 there are two TAs for two environment pro- 
cesses. Note that location comp in figure [3b) is labeled with 
a deadline x% < 10. This means that the environment process 
in figure [3b) can only stay in location comp for at most 10 
time units. Thus the environment process in figure [3a) may 
deliver late service while the one in figure [3b) always deliver 
service in 10 time units. Against the environment described 
by figure [3 a X the S in figure [TJb) does not simulate the 
A4 in figure [TJa) since the A4 terminates the computation on 
late service while the S never terminates the computation. In 
comparison, against figure (3b), the S simulates the A4 since 
the service is always in time. 

A. CTA 

We use CTAs (communicating timed automata) to model 
the interaction between an environment and a model (or a 
specification). The formal definition is in the following. 

Definition 7: CTA A CTA of two TAs A and B, in symbols 
A x B, is a TA with the following constraints. 

• PaxB = PaUPb- 

• Qaxb = Qa x Qb- 

• ^AxB = ^U = Sg. 

• X AxB = X A Ulg. 

• Iaxb = Ia Al B . 



• For each (q 1} q 2 ) G QaxB, Aa((<7i, 92)) = Xa(qi) A 

For simplicity, we assume that P A n P B = 0, Qa H Qb = 0> 
and Xa H X B = 0. Moreover, the transitions of a product 
TA needs to consider the synchronization between the two 
process TAs. Specifically, we let EaxB Q Ea x E b . For each 
(e, /) G EaxB, ° ne °f the following constraints must hold. 

• (e, /) represents the autonomous execution of a process 
TA with a transition without any events. Formally speak- 
ing, this means at least one of e and / is _L, i.e., no 
operation. We have the following two cases to explain. 

- If e ^_L and / =JL, then e G E A , CAxB((e,f)) = 
e A (e) = 0, TAxB((e, /)) = T A (e), n AxB ((e, /)) = 
n A (e). 

- If e =_L and / ^_L, then / e E B , e AxB ((e,f)) = 
e B (f) = 0, r AxB {{e,f)) = T B (f), 7u xB ((e,/)) - 

Ml)- 

• (e, /) represents the synchronized execution of the two 
process TAs respectively with a receiving event and a 
sending event of the same type. Formally speaking, this 
means that there is an a G ^AxB with the following 
restrictions. 

- Either of the following two is true. 

* eW(e,/)) = {?a@(^), !o@(B)}, e A (e) = 
{7a}, and e B (/) = {la}. 

* CAxsCCe,/)) = V-a@(A),?a@(B)}, e A (e) = 
{la}, and e B (/) = {?a}. 

Note here we blend the process names and the oper- 
ations into the name of the new events. For example, 
?a@(A) and la@(A) respectively represent the receiv- 
ing and the sending of event a by process A. 

- r AxB ((e,f)) = T A (e)AT B (f). 

- 7UxB((e, /)) = 7T^(e) U 7T B (/). ■ 

Example 22: For the specification S in figure 02b) and the 
environment £ in figure [3 a X we have £ x S with attributes 
in table M ■ 

Since a CTA is also a TA, we explain how to interpret the 
notations about TAs for CTAs. Given a state a of A and a 
state fi of B, (a, p) is called a state of Ax B. We say a 
state (a, p) satisfies a state predicate r\ <E TS>(P A xB,X AxB ), 
in symbols (a, /x) |= 77, with the following inductive rules. 

• For any p G P A , (a, p) \= p iff a \= p. 

• For any p G P B , {a, p) \= p iff p \= p. 

• For any x G Xa, (a, p) \= x ~ c iff a \= x ~ c. 

• For any x G X B , (a, p) \= x ^ ciff p\= x ^ c. 

• (a, p) \= -1771 iff it is not the case that (a, p) \= 771. 

• (a, p) |= r?i V 7/2 iff {a, p) |= 771 or (a, p) (= 772. 

The state after a transition (e, /) from a state (a,p) of CTA, 
denoted (a,p)(e, /), can also be interpreted as (ae,pf). A 
timed transition of t time units from a state (a, p), denoted 
(a,p) + t, can be defined as (a + t, p + t). In this way, 
we can also define the timed transition relation between two 
states (a, p), (a', p') through a transition (e, /) in t time units, 
denoted as 

t,(ej) 



(a,p) 
with the following restrictions. 



(a',p'), 
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?request 



?end 




iserve 
(a) a non-responsive environment process E 



?request 
x 3 := 0; 



Iserve 
(b) a responsive environment process £ 



?end 




Fig. 3. A non-responsive and a responsive environment processes 



PexS 

Qsxs 

X ExS 
IsxS 

^SxS 

Eexs 

S £xS 
c £xS 

T ExS 

KSxS 



bo, 



{idle2,wait2, standby, process, sleep} 

(standby, idle2), (standby, wait2), (process, idle2), 

(process, wait2), (sleep, idle2), (sleep, wait2) 
{22,23} 
idle2 A X2 = A standby A13 =0 

(standby, idle2) 1— > true, (standby, wait2) *—>■ true, (process, idle2) 1— > true, 

(process, waits) *-¥ true, (sleep, idle2) *-* true, (sleep, wait2) *-> true 

■ ((standby, idle2), (process, wait2)), ((process, wait2), (standby, idle2))} 

■ request, serve, end} 
((standby, idle2), (process, wait2)) >-> {!request8(£), ?request@(<S)} 
((process, wait2), (standby, idle2)) i-> {?serve@(£), !serve@(cS)} 
((standby, idle2), (process, wait2)) 1— > X2 > 5 
((process, wait2), (standby, idle2)) i-> true 
((standby, idle2), (process, wait2)) i-> {23}, 
((process, wait2), (standby, idle2)) i-> {22} 



i a k 



denotes a (partial or total) function / with /(arj) 



60, 



,/K-) 



TABLE II 

Attributes of the CTA of S in figure[T|;b) and £ in figure[3Ja). 



• For all t' e [0, t], (a, p) + t' \= V A A V B . 

• (a,n)+t h^(e)Ar g (/). 

• ((a, M )+i)(e, /) = («',//)■ 

Then a run of .4 x B can also be denned as a sequence 



((/Uo,^o),(eo,/o),*o) 



((Hk,Vk),(ek,fk),t k )' 



with (jUfc,i/fe 



/fc+i) 



(/ife+i^fe+i) for all fc > 0. 



Given a CTA 4x5 and an MF-assumption $* ofi4xB, 
(A x B, $5') is called a GCBTA {Generalized communicating 
BTA). Similarly, {AxB, $<£) is a CBTA (Communicating BTA) 

if |$| + |#| < 1. 



B. Simulation of GCBTAs against an environment 

Definition 8: Simulation of GCBTAs against an environ- 
ment A simulation F e of a model GCBTA (M,$m^m) 
by a specification GCBTA (S, $s^s) against an environment 
GCBTA (£,$£* £ ) is a binary relation F e C §(£ x M) x 
S(£ x <S) such that for every (a, p)(f3, v) 6 F e , the following 



restrictions are satisfied. 

SE1: a,/3 eS(£) with a = p. 

SE2: p,eS(M). 

SE3: v e §(<S). 

SE4: For every run 9 of £ x M from (a, p) that satisfies 
(<&M U ^s)(^M U * £ ), there exists a play p from 
(a,p)(/3,u) with the following restrictions. 

- p embeds 9 and satisfies ($ £ U$a4U$ s )(* £ U*a4 U 

— For every transition (e, /)(e', <?) along p, e = e' 6 Sf. 
We say that (5, $5^5) simulates (Ad, §m^m) against en- 
vironment (£, $£\&£), in symbols 

(X,$^*x) oc (5, $5*5) : (£,$ £ tf £ ), 

if there exists a simulation F e of (M, §m^m) by (5, <&s^s) 
against (£,$£ Vff) such that for every (a, /i) |= If A Vg A 
7m A V m , there exists an (a, v) \= I £ A V £ A i" 5 A V$ with 
(a,/x)(a,i/) £ B 6 . ■ 
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As can be seen, definition [8] is more restrictive than defini- 
tion [5] in their presentations. However, we can prove that they 
are equivalent. 

Lemma 23: Given an environment GCBTA (S,^s^e)> a 
model GCBTA (M,<S> m ^m), and a specification GCBTA 
<5,* 5 * 5 ), (£xM,(^ £ U^ M )(^ £ U^ M )) oc (£xS,(^ £ U 
$s)(* £ U* s )>iff (M,$ m *m) oc (S, $5*5) : (£,$£*£>. 
Proof : The backward direction of the proof is straightforward 
since every simulation against an environment in definition[8]is 
also a simulation in definition Thus we only have to focus 
on the forward direction of the proof. We first assume that 
there is a simulation F of (£ X M, ($£ U $m)(^S u *m)) 
by (£ x S, ($ £ U $s)(*£ U * s )). We can construct F e as 
follows. 

F e ^{(a,p)(a,v) \{a,n)(p,u)€F}. 

Given an (a, p)(f3,v) E F, it is apparent that (a,p)(a,v) 
satisfies conditions SE1, SE2, and SE3 of definition [8] Then 
for every runs 9 of £ x M from (a, /x) satisfying ($x U 
&s)(*&M U Vtf), there exists a play p from (a, p.)(/3, f) such 
that p embeds 6* and satisfies ($ £ U$a<U$s)(*£:U* j viU\I>s). 
Suppose 

P = ((«o, Mo) (A), "0), (eo, fo)(e' ,9o), to) 

■ ■ ■ ((a*, Mfc)(/?fc, ffc), (e*, fk)(e' k ,9k),tk) ■ ■ ■ 

This implies the following for all fc > 0. 



a* 


— > "fc+i 


(vl) 


/a 


— > Mfc+i 


(v2) 


& 


tk + l-t k ,e k 

> Pfc+1 




^ 


— > Vk+1 


(v3) 



Then we can construct a sequence p e as follows. 

// = ((ao,/"o)(ao,i / o),(eo,/o)(eo,S'o))*o) 

• • • ((a k ,Pk)(a k ,v k ), (ek,fk)(ek,9k),tk) ■ ■ ■ 

We have the following two claims to prove the lemma. 

CL1: p e is a play of (8 x M) by {£ x S) and embeds 9. 

CL2: p e satisfies ($ £ U <S> M U $ 5 )(* £ U *A4 U *s). 
Claim CL1 relies on the validity that for all k > 0, 



(a*,Wfe) 



tk + l—tk,( e k,fk) 
tk + l-tk,( e k,9k) 



(Otk+l, fik+l) 

(afc+i, ^fc+i) 



These two statements rely on the following three statements. 

ifc+i— *fc,efc 

tk+l—tk,fk 
tk + l~tk,9k 



Oik 
Vk 



Otk+1 

Mfc+1 

V k+ 1 



(vl) 
(v5) 



The validity of the above three then follows from statements 
(vl), (v2), and (v3) in the above. Thus we know that p e is 
indeed a play of (£ x J\A) x (£ x S). Furthermore, the validity 
of statements (vA) and (u5) implies that p e indeed embeds 9. 
Now we want to prove claim CL2. For all assumptions in 
^E^^M and ^fU^jVi- they are automatically satisfied since 
p e also embeds 9 and satisfies ($ £ U $m)(*£ u *m)- F° r 
a strong fairness assumption <fr € $5, we have the following 
two cases to analyze. 



• <fi is a state-predicate. We claim that along p e , for every 
fc > 0, there exists an h > k and at 6 [0,i;,+i — fch] 
with (ah, Vh) + t \= cj>. This is true since along p, 
(ah,fih)(0h,Vh) + t\=<f> which implies that v h + t\=<j) 
which in turn implies the claim. 

• (f> = i]iar]2 is an event-predicate. We claim that along 
p e , for every k > 0, there exists an ft, > k with 
(afc,i//,) + t /l+ i - th h »7i> a £ e ^( e fc+i) n es(fffc+i). 
and (a.h+i,Vh+i) \= V2- This is true since along p, 
(a h ,p h )(f3 hl v h ) + th+i - th h r)i, a E e M (e h+1 ) D 
£M(fh+i)ne M (g h+1 ), and (a ft +i, /ih+i)(/?h+i, ^ i+ ) (= 
772. This further implies that Vh + th+i — th \= f/i, 
a <G es(.9h+i), and Vh+i (= ^z- In the end, this implies 
the claim. 

For a weak fairness assumption ip E ^5, we have the 
following two cases to analyze. 

• ip is a state-predicate. We claim that there exists a 
k > such that for every h > k and t E [0, i/j+i — 
t/j], (a.h,Vh) + t \= t/j. This is true since along p, 
(ah, ph)(Ph 1 Vh) + t |= ip which implies that Vh + t \= t/j 
which in turn implies the claim. 

• ip = r\\ar\2 is an event-predicate. We claim that 
along p e , there exists a k > such that for all 
h > fc, if (aft, Vh) + th+i - th (= J?i and a € 
eexs((e' h+1 , 9h+i)), then (a^+iji'/.+i) |= r/ 2 . This is 
true since along p, if (a h ,p h )(/3 h , v h ) + t h+1 - t h \= rji 
and a £ e £xS ((e' h+1 ,g h+1 )) = e £xM ((e h +i, fh+i)), 
then (a h+1 , p h+1 )(/3 h+1 ,v h+ ) \= tj 2 - This further implies 

that if Vh + th+i-th h m and a G e£ X s((eft+i,5ft+i))» 
then I'h+i |= T72. In the end, this implies the claim. 
With the proof of claims CL1 and CL2, thus we conclude that 
the lemma is proven. ■ 

According to lemma l23l we can check the classic simulation 
in definition [5] by checking the one in definition [S] This can 
be helpful in enhancing the verification performance when the 
common environment between the model and the specification 
is non-trivial. 



C. Efficiency techniques for simulation against an environ- 
ment 

Lemma|23]implies that we can use the following techniques 
to enhance the simulation algorithm against an environment. 

• Based on condition SE1 of definition [HJ we significantly 
reduce the sizes of the spaces of state-pairs by disregard- 
ing state-pairs of the form (a, p)((3, v) with a ^ j3. Since 
the number of different zones representing /3's can be 
exponential to the input size, the reduction can result in 
exponential speed-up. 

• By mapping variables in f3 in state-pairs (a, p)(j3, v), to 
those in a, we actually only have to record one copy of 
values for each variables in a. Since the size of BDD-like 
diagrams O is exponential to the number of variables, 
this technique can also significantly reduce the memory 
usage in representations with BDD-like diagrams. 

• In evaluating the precondition of state-pairs, we need to 
enumerate all the transition pairs of the form (e, /)(e', g) 
with e, e' £ E £ , f e Em, and g e E$. If we 
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use the classic simulation, the enumeration is of size 
0{\Eg\ 2 ■ \Em\ m \Es\)- But with the simulation against a 
common environment in definition [8] the enumeration is 
of size 0(\Eg\ ■ \Em\ ' \Es\)- Thus significant reduction 
in time and space complexity can also be achieved with 
definition [8] 

VIII. Implementation 

We have implemented the techniques proposed in this 
manuscript in RED 8, a model/simulation-checker for 
CTAs and parametric safety analysis for LHAs based on 
CRD (Clock-Restriction Diagram) J24) and HRD (Hybrid- 
Restriction Diagram) technology l26l . The state-pair spaces 
are explored in a symbolic on-the-fiy style. To our knowledge, 
there is no other tool that supports fully automatic simulation 
checking with GBTAs. 

We used parameterized networks of processes as our bench- 
marks. For a network of m processes, we use integer 1 
through to to index the processes. Users supply two index 
lists, the first for the indices of the model processes and the 
second for indices of the specification processes. The process 
indices not in the two lists are treated as indices of the 
environment processes. For example, we may have a system of 
10 processes. The following describes a simulation-checking 
task of process 1 (the model) by process 1 (the specification). 

1;2; 

Here processes 3 through 10 are the environment processes. 

To support convenience in presenting fairness assumptions, 
we allow parameterized expressions. For example, in ta- 
ble UnT a). we have a simulation requirement with parameter- 
ized strong fairness assumptions. Here #PS is a parameter for 
the number of processes. Thus for a system of 10 processes, 
process 9 is the model, process 10 is the specification, while 
the others are the environment. The last ass ume statement is 
for the fairness assumption of the environment. The specifica- 
tion of event-predicates is in the following form. 

type [771] a [773] 

Here type is either 'strong' or 'weak.' [771] and [772] are 
respectively the optional precondition and the optional post- 
condition. We may also use quantified expressions to present 
several fairness assumptions together. For example, in the 
above, 

assume { |k:2..#PS-2, 

strong true event { executes (k) } ; 
} 

presents the following strong fairness assumptions. 

strong true event { executes (2 ) } 
strong true event { executes (3) } 

strong true event {execute? (8) } 

IX. Experiments 

To our knowledge, there is no other tool that supports fully 
automatic simulation checking with fairness assumptions for 
TAs as ours. So we only experimented with our algorithms. 



TABLE III 
TWO SIMULATION REQUIREMENTS 



(a) One simulation requirement 



#PS-1 assume { 

strong event { executes (#PS-1 )} ; 
}; 
#PS assume { 

strong true event { executes (#PS) } true; 
}; 

assume { |k:2..#PS-2, 

strong true event { executes (k) } ; 



(b) Another simulation requirement" 



#PS-1 
assume { 

strong event { executes (#PS-1 )} ; 
}; 

#PS 
assume { 

weak idleS (#PS) ; 
}; 
assume { 

I k: 2 . .#PS-2, 

strong true event { executes (k) } ; 



We report two experiments. The first is for timed branching 
simulation against a common environment without fairness 
assumptions in subsection IIX-AI Especially, we report the 
performance enhancement of the simulation in definition [8] 
(without fairness assumption) over the simulation in defini- 
tion 

The second experiment is for simulation against a common 
environment with fairness assumptions in subsection IIX-BI 
Especially, we use liveness properties in the experiment. 

A. Report of timed branching simulation 

We used the following three parameterized benchmarks 
from the literature. 

1. Fischer's timed mutual exclusion algorithm 11241 : The 
algorithm relies on a global lock and a local clock per 
process to control access to a critical section. Two timing 
constants used are 10 and 19. 

2. CSMA/CD (331 : This is the Ethernet bus arbitration 
protocol with collision-and-retry. The timing constants 
used are 26, 52, and 808. 

3. Timed consumer/producer I2TI : There is a buffer, some 
producers, and some consumers. The producers periodi- 
cally write data to the buffer if it is empty. The consumers 
periodically wipe out data, if any, in the buffer. The timing 
constants used are 5, 10, 15, and 20. 

For each benchmark, we use one model process and one 
specification process. All the other processes are environment. 
Also for each benchmark, two versions are used, one with a 
simulation and one without. For the versions with a simulation, 
M. and S are identical. For the version without, M. and S 
differ in only one process transition or invariance condition. 
For example, for the Fischer's benchmark, the difference is that 
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TABLE IV 
Performance data of scalability w.r.t. various strategies 




versions 


m 


Definition |5J 


Definition |8] 


benchmarks 


time | memory 


time 


memory 


Fischer's 


Simulation 
exists. 


4 


> 1800s | > 8M 


31.3s 


320k 


mutual 


5 


N/A 


92.3s 


664k 


exclusion 


6 


281s 


1319k 


(m 


No 

simulation 

exists. 


4 


> 1800s | > 8.5M 


11.7s 


250k 


processes 


5 


N/A 


28.0s 


475k 


) 


6 


86.7s 


955k 


CSMA/CD 


Simulation 
exists. 


1 


0.236s 


102k 


0.098s 


41k 


(1 bus+ 


2 


72.9s 


1791k 


0.80s 


177k 


771 senders 


3 


> 1800s 


>700M 


125s 


3503k 


) 


No 

simulation 

exists. 


1 


0.144s 


103k 


0.085s 


41k 




2 


52.9s 


3132k 


2.03s 


203k 




3 


N/A 


25.7s 


2089k 


Consumer & 


Simulation 
exists. 

No 

simulation 

exists. 


3 


N/A 


0.30s 


57k 


producer 


4 


0.43s 


65k 


(1 buffer 


5 


0.53s 


75k 


+ 1 producer 


3 


0.99s 


70k 


+m consumers 


4 


1.35s 


775k 


) 


5 


1.16s 


83k 


data collected on a Pentium 4 1.7GHz with 380MB memor 


y running 


LINUX; 



)ry in data-structure; iter'n: the number of iterations 



the triggering condition of a transition to the critical section of 
S is mistaken. The performance data is reported in table [IV] 
The CPU time used and the total memory consumption for 
the data-structures in state-space representations are reported. 
As can be seen, the performance of our new simulation 
(definition [8} against a common environment is significantly 
better than the classic one (definition |5). 

B. Report of simulation with fairness assumptions 

We use a network of TAs as our benchmarks for liveness 
property verification. A network consists of m process TAs. 
Process 1 is a dispatcher process. Processes 2 through m — 1 
are the environment processes. Process m is the model and 
process m + 1 is for the specification. The execution of a pro- 
cess depends on the incoming services by its peer processes. In 
figure|4] we draw three example topologies of networks: linear, 
binary-tree, and irregular. The nodes represent the processes 
while the arcs represent service channels. Inside each node, 
we put down the name of the TA for the process. Note that 
the model (process m) and the specification (process m + 1) 
have the same channel connections to the other processes. 

The connection relation of the service channels is given in 
a 2-dimensional Boolean array serve. For the linear networks, 
serve(i,j) is true iff i <E [2,m — 1] and j = i + 1. For the 
binary-tree networks, serve (i,j) is true iff j/2 = i with integer 
division. For the irregular networks, for all i,j <E [2,m], 
serve(i,j) is true iff (i*prime(i%8)+prime(j%8)) is divisible 
by 7 where prime (i) is the i'th prime and '%' is the remainder 
operator. For example, in figure H|c), processes 7 and 8, 
respectively the model and the specification, are served by 
both processes 4 and 5. Process 6 is only served by itself. 

Templates of the state transition graphs of the processes 
can be found in figure [5] Figure [2a) is the TA for the 
dispatcher process. Specifically, the dispatcher works as a 
scheduler that sends out execution signal, exec, to the other 
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Fig. 4. Network topologies of processes 



15 



\exec 




disp 




(a) A]_ for dispatcher 

? exec 

%k > 1 A 3h G [2, m], (serve(h, k) A activeh) 
actives. ) ) x k := 0? 




?exec 



Xfc > 1 A V7i G [2, ml, (serve(h, k) — >• z'rf/e/J 
:=0; 




(exec 



(b) template for A k ,k <E [2, m + 1], requesting service by all incomings 
?exec 




x fc > 1 A 
x fc := 0; 



3/i G [2, m], .serve (/% fe) 

A V/i G [2, m], (serve(h, k) — >■ activeh) 



lexec 

x k > 1 A 



V/i G [2, m] , -<serve(h : k) 
ix ^=& V ^ 3/i G [2,m], (serve(h, k) A z'J/e^) 




exec 



(c) template for A k ,k G [2, m + 1], requesting service by one incoming 



Fig. 5. TA templates in a network of m processes 



processes to allow them to execute. There are two templates 
for the other processes. Figures |5jb) and (c) are the two 
templates for process k, with k G [2,m + 1], waiting to 
enter their idle modes. A process that uses the template in 
figure |5Jb) can execute only when it has received services from 
all its incoming channels. A process that uses the template in 
figure [51c) can execute when it has received services from 
any of its incoming channels. Some of the details in notations 
are Pa ± = 0, Xa 1 = 0, ^a ± = {exec2, . . . ,exec m }, and 
for each k £ [2, to], Pa,, = Qa u , ^A k = {execk}, and 
Xa,, = {xk}- Note that in the benchmark, a process may enter 
the idle mode only when all its incoming channels are from 
idle processes. For experiment, we also tried another version 
of the benchmark in which a process may enter the idle mode 
when any of its incoming channels is from a idle process. 

For each benchmark, we use the two simulation require- 
ments in table [III] The performance data is reported in table [V] 



As can be seen from the performance data, our techniques 
show promise for the verification of fulfillment of liveness 
properties in concurrent computing. 

X. Concluding remarks 

In this work, we investigate the simulation problem of TAs 
with multiple strong and weak fairness assumptions. For the 
succinct presentation of fairness assumptions, we also allow 
for event fairness properties. We then present an algorithm 
for the USF-simulation of GBTAs. The algorithm is based on 
symbolic model-checking and simulation-checking techniques 
and can be of interest by itself. We then propose a new 
simulation against a common environment between the model 
and the specification. We then present efficiency techniques 
for this new simulation. Our implementation and experiment 
shows the promise that our algorithm could be useful in 
practice in the future. 
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TABLE V 
Performance data of scalability w.r.t. various bisimulation definitions 





m 


service by all incomings 


service by one incoming 


benchmarks 


strong 


weak 


strong 


weak 




time 


memory 


time 


memory 


time 


memory 


time 


memory 


linear 


1 


1.16s 


67k 


0.87s 


67k 


0.44s 


48k 


0.44s 


48k 


networks 


2 


1.46s 


122k 


1.88s 


122k 


0.69s 


96k 


0.589s 


97k 




3 


2.03s 


191k 


4.22s 


192k 


0.93s 


158k 


1.14s 


159k 




4 


2.60s 


281k 


9.70s 


281k 


1.46s 


244k 


1.46s 


244k 




5 


3.46s 


393k 


20.3s 


393k 


1.50s 


359k 


1.48s 


359k 




6 


6.22s 


28.3M 


43.4s 


28. 1M 


1.91s 


508k 


2.24s 


508k 




7 


19.7s 


110M 


N/A 


3.94s 


26.6M 


N/A 


tree 


1 


0.94s 


68k 


0.87s 


68k 


0.41s 


50k 


0.41s 


51k 


networks 


2 


1.23s 


118k 


1.56s 


119k 


0.72s 


86k 


0.456s 


87k 




3 


1.93s 


194k 


2.89s 


194k 


0.81s 


153k 


0.62s 


153k 




4 


2.44s 


284k 


3.89s 


285k 


0.93s 


234k 


0.90s 


235k 




5 


3.37s 


412k 


7.18s 


412k 


1.34s 


344k 


1.16s 


345k 




6 


5.41s 


556k 


10.3s 


557k 


1.55s 


486k 


1.50s 


487k 




7 


17.2s 


95.5M 


N/A 


1.98s 


669k 


N/A 


general 


1 


1.10s 


105k 


1.18s 


105k 


0.88s 


191k 


0.91s 


192k 


networks 


2 


1.06s 


180k 


0.78s 


180k 


1.47s 


319k 


1.15s 


319k 




3 


1.15s 


216k 


0.82s 


216k 


1.19s 


343k 


0.92s 


344k 




4 


1.82s 


436k 


2.19s 


436k 


2.17s 


947k 


3.25s 


947k 




5 


2.06s 


595k 


1.77s 


596k 


2.76s 


1.26M 


2.89s 


1.27M 




6 


3.82s 


27.8M 


3.11s 


27.9M 


4.92s 


1.56M 


12.8s 


1.56M 




7 


16.1s 


107M 


N/A 


16.0s 


90.7M 


N/A 


chmarks, there 


are a r 


nodel pro 


cess, a spec 


itication 


process, and 


m environment pro 


;esses. 'N/A' 


means "r 



data collected on a Pentium 4 1.7GHz with 380MB memory running LINUX; 
seconds; k: kilobytes of memory in data-structure; M: megabytes of total memory 
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